v0 App

The Digital Personal Data Protection Act, 2023 ("DPDP Act") is the first data protection legislation of India. Its enactment has marked a significant shift in the data protection landscape of India. The aim of this article is to dive deeper into the scope and ambit of tortious actions under the legislation by primarily focusing on how the DPDP Act has structured recourse to legal remedies. The same will be examined in light of the restrictions placed on judicial recourse by the Data Principals.

Understanding the Legal Framework

The DPDP Act establishes a specialized framework for addressing the violations under the legislation. The framework differs from conventional tortious liability structures as it implements a constrained process for the aggrieved individuals by barring the jurisdiction of the civil courts in all the matters in which the Data Protection Board is empowered to take actions under the legislation.

Section 35 - Immunity Shield Clause

Section 35 of the DPDP Act is a significant immunity shield clause. In other words, the provision effectively insulates the Central Government, the Data Protection Board, its Chairperson and any Member, officer or employees from legal actions if they demonstrate "good faith" in the implementation of the provisions of this legislation. The same might pose a substantial obstacle for the Data Principals seeking to challenge the administrative decisions or regulatory failures.

Section 39 - Restriction on Judicial Remedies

Furthermore, Section 39 of the legislation restricts access to judicial remedies. In other words, it bars the jurisdiction of the civil courts. In simpler words, the provision effectively ousts the jurisdiction of the civil courts in matters where the Data Protection Board has authority under the legislation. This creates a significant departure from the traditional tortious remedies where the courts serve as a primary adjudicatory forum.

Data Protection Board as the Primary Adjudicatory Mechanism

Under the framework established by the DPDP Act, the Data Protection Board of India is the central authority for addressing the complaints pertaining to the violation of the provisions of the legislation. The DPDP Act under Section 27 stipulates the extensive powers and functions of the Data Protection Board.

Board's Process for Handling Complaints:

1. The Data Principal can file a formal complaint with the Data Protection Board
2. Upon the assessment of the complaint, the Board will investigate into the alleged violations of the provisions of the legislation
3. Following the same, the Board will provide the parties to present their cases in light of the Principal of audi alteram partem
4. Upon assessment of the case, determine the liability and appropriate remedy for the aggrieved party
5. Additionally, the Board can issue interim orders during the investigation to prevent further harm to the parties

Scope of Tortious Liability under the DPDP Act

Unlike its European counterpart, the General Data Protection Regulation (GDPR), the DPDP Act lacks explicit provisions where Data Principals can directly approach the courts for compensation. The DPDP Act establishes a regulatory framework through the Data Protection Board, empowering it to impose financial penalties on the non-compliance of the obligations specified within the legislation. However it remains conspicuously silent on the individual compensation mechanisms.

📝 Comparison with GDPR

Article 82 of the GDPR explicitly grants the Data Subjects the right to receive compensation from the Data Controllers and the Data Processors for material or non-material damages arising from the violation of the provisions of the DPDP Act. This direction compensation pathway is absent in the DPDP Act, leaving the affected Data Principals with no option but to explore alternative legal avenues.

The Alternative Pathway

In the absence of explicit statutory remedies under the DPDP Act, Data Principals may need to resort to alternative legal frameworks:

1. Breach of Contract

In the absence of explicit statutory remedies under the DPDP Act, Data Principals may need to resort to contractual remedies available under existing Indian legal frameworks. When personal data is processed under contractual arrangements, a breach of data protection obligations could constitute a breach of contract. The injured party may then pursue compensation under the Indian Contract Act, 1872.

2. Damages for Financial Losses

Financial losses resulting from data breaches present another potential avenue for compensation. When unauthorized access, disclosure, or misuse of personal data leads to direct financial damage such as identity theft, the affected individuals may claim damages under tort law and the Information Technology Act, 2000.

3. Remedies for Loss of Reputation

Reputation damage resulting from data breaches constitutes another significant harm that may warrant compensation under tort law principles. When unauthorized disclosure of sensitive personal information damages an individual's reputation, remedies may be available through defamation claims or under the tort of invasion of privacy. Courts may award damages commensurate with the severity of reputational harm suffered.

4. Additional Tortious Actions

Beyond these specific categories, the broader principles of tort law—particularly negligence—may provide recourse for Data Principals. Organizations processing personal data owe a duty of care to implement reasonable security measures. Failure to meet this standard of care, resulting in data breaches, could establish liability for negligence.

5. Right to Constitutional Remedies

Data Principals are empowered to approach the Supreme Court and the High Courts under Articles 32 and 226 of the Constitution of India. They are entitled to file a writ petition in cases of alleged violation of their fundamental right to privacy guaranteed under Article 21 of the Constitution of India.

However, this fragmented approach places additional burdens on Data Principals, who must navigate complex legal theories rather than rely on clear statutory rights. As Indian data protection jurisprudence evolves, courts will likely play a crucial role in shaping how these traditional legal remedies interact with the emerging data protection framework.

Our Opinion

The DPDPA creates a distinctive regime that significantly departs from traditional civil remedies. By establishing the Data Protection Board as the primary adjudicatory body while explicitly barring civil court jurisdiction, the DPDP Act channels data protection disputes through a specialized but potentially more limited framework.

The constitutional remedy pathway remains critically important as an alternative avenue, particularly for cases involving fundamental privacy rights violations. However, this pathway sets a higher threshold and may not be accessible or appropriate for all types of data protection grievances.

Furthermore, in our opinion the legislation presents a significant limitation for Data Principals. Despite undergoing the prescribed complaint procedure, Data Principals are not entitled to a direct remedy. Any penalties levied by the Data Protection Board for contraventions of the DPDP Act are remitted to the government, leaving aggrieved Data Principals without a mechanism for direct compensation under the statute itself.

As the implementation of the DPDP Act continues to unfold, the interplay between the Board's adjudicatory role and the constitutional courts' intervention will shape the practical effectiveness of tortious remedies under India's new data protection regime. Data principals, fiduciaries, and legal practitioners must navigate this complex landscape carefully to effectively address data protection violations while respecting the procedural frameworks established by the legislation.

Tortious Liability Under the Digital Personal Data Protection Act, 2023